Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On May 5, the SEC announced the Commission’s largest-ever award—nearly $279 million—awarded to a whistleblower for providing information and assistance leading to the successful enforcement of SEC and related actions. The SEC noted that this award is more than double the previous record-holding $114 award issued in October 2020. According to the redacted order, the whistleblower voluntarily provided original information, which caused enforcement staff to expand the scope of the investigation and saved the SEC significant time and resources. The whistleblower also provided substantial ongoing assistance, including providing multiple written submissions, communications, and interviews, the SEC said, finding also that the whistleblower satisfied the requirements under Rules 21-F-3(b)(1) for related actions awards as the related successful enforcement actions were partly based on the same information provided to the Commission. However, in the same order, the SEC affirmed denial of two other claimants’ award claims after determining, among other things, that the individuals did not submit information leading to the successful enforcement of the covered action.
On April 28, the SEC settled with a cryptocurrency ATM operator for allegedly selling unregistered tokens in order to raise money to expand its bitcoin ATM network. Described as a “token sale,” the SEC claimed the respondents in total raised crypto assets during an initial coin offering valued at roughly $3.65 million. According to the SEC, the company offered and sold its token as investment contracts, which qualified it as a security since investors would have reasonably expected to obtain future profits from the token’s rise in value based upon the respondents’ efforts. By offering and selling securities without having on file a registration statement with the SEC or qualifying for an exemption, the respondents violated Sections 5(a) and 5(c) of the Securities Act, the SEC said. Additionally, one of the respondents and its CEO were also accused of violating Section 17(a) of the Securities Act and Section 10(b) of the Exchange Act and Rule 10b-5 by making materially false and misleading statements and engaging in other fraudulent conduct connected to the offer and sale of the token. The respondents neither admitted nor denied the SEC’s findings, but agreed to pay a collective $3.92 million civil penalty and said they would cease and desist from committing violations of the Securities Act and the Securities Exchange Act. One of the individual respondents also received a three-year officer and director ban.
District Court orders fintech to pay $2.8 million to settle claims of price manipulation of crypto-assets security
On April 20, the U.S. District Court for the Southern District of New York entered a final judgment in which a fintech company and its former CEO (collectively, “defendants”) have agreed to pay the SEC more than $2.8 million to settle allegations that they manipulated the price of their crypto-assets security. The SEC filed charges against the defendants last September for “perpetrating a scheme to manipulate the trading volume and price” of their digital token, and for effectuating the unregistered offering and sale of such token. The complaint also contended that the defendants hired a third party to create the false appearance of robust market activity for the token and inflated the token’s price in order to generate profits for the defendants. According to the SEC, the defendants allegedly earned more than $2 million as a result. The SEC charged the defendants with violating several provisions of the Securities Act of 1934 and Rule 10b-5, as well as certain sections of the Exchange Act. At the time the charges were filed, the third party’s CEO consented to a judgment (without admitting or denying the allegations), which permanently enjoined him from participating in future securities offerings and required him to pay disgorgement and prejudgment interest.
The defendants, while neither admitting nor denying the allegations, consented to the terms of the April final judgment. The company agreed to pay nearly $2.8 million, including more than $1.5 million in disgorgement of net profits, a civil penalty of more than $1 million, and roughly $240,000 in prejudgment interest. The former CEO agreed to pay more than $260,000, representing disgorgement, prejudgment interest, and a civil penalty. Both defendants are permanently enjoined from engaging in future securities law violations, and are restricted in their ability to engage in any offering of crypto asset securities.
On April 19, the California Department of Financial Protection and Innovation (DFPI) announced enforcement actions against five separate entities and an individual for allegedly offering and selling unqualified securities and making material misrepresentations and omissions to investors in violation of California securities laws. According to DFPI, the desist and refrain orders allege that the subjects (which touted themselves as cryptocurrency trading platforms) engaged in a variety of unlawful and deceptive practices, including promising investors high yield returns through the use of artificial intelligence to trade crypto assets, falsely representing that an insurance fund would prevent investor losses, and using investor funds to pay purported profits to other investors. The subjects also allegedly took measures to make the scams appear to be legitimate businesses through the creation of professional websites and social media accounts where influencers and investors shared testimonials about the money they were supposedly making. The orders require the subjects to stop offering, selling, buying, or offering to buy securities in the state, and demonstrate DFPI’s continued crackdown on high yield investment programs.
On April 14, the SEC reopened the comment period on proposed amendments to the statutory definition of “exchange” under Exchange Act rule 3b-16, which now includes systems that facilitate the trading of crypto asset securities. (See also SEC fact sheet here.) The comment period was reopened in response to feedback requesting information about how existing rules and the proposed amendments would apply to systems that trade crypto asset securities and meet the proposed definition of an exchange, or to trading systems that use distributed ledger or blockchain technology, including such systems characterized as decentralized finance (DeFi). The SEC also provided supplement information and economic analysis for systems that would now fall under the new, proposed definition of exchange. The reopened comment period allows an opportunity for interested persons to analyze and comment on the proposed amendments in light of the supplemental information. Comments are due 30 days after publication in the Federal Register.
“[G]iven how crypto trading platforms operate, many of them currently are exchanges, regardless of the reopening release we’re considering today,” SEC Chair Gary Gensler said. “These platforms match orders of multiple buyers and sellers of crypto securities using established, non-discretionary methods. That’s the definition of an exchange—and today, most crypto trading platforms meet it. That’s the case regardless of whether they call themselves centralized or decentralized.” He added that crypto-market investors must receive the same protections that the securities laws afford to all other markets. Commissioners Mark T. Uyeda and Hester M. Peirce voted against reopening the comment period. Uyeda cautioned against expanding the definition of an “exchange” in an “ambiguous manner,” saying it could “suppress further beneficial innovation.” Peirce also dissented, arguing that the proposal stretches the statutory definition of an “exchange” beyond a reasonable reading in an attempt to “reach a poorly defined set of activities with no evidence that investors will benefit.”
On April 6, the California Department of Financial Protection and Innovation (DFPI) joined a multi-state settlement with a securities brokerage company stemming from an investigation spearheaded by state securities regulators from Alabama, Colorado, California, Delaware, New Jersey, South Dakota, and Texas relating to certain alleged operational and technical failures. According to DFPI, the investigation was triggered by a March 2020 incident in which the brokerage company experienced several platform outages during a period in which hundreds of thousands of investors relied on the company’s app to make trades, thus preventing some users from being able to process trades. The settlement order sets out multiple alleged violations by the brokerage company, including negligently disseminating inaccurate information to customers, failing to have a “reasonably designed customer identification program,” inadequately supervising critical technology, having a deficient system for dealing with customer inquiries, failing to exercise due diligence before approving certain option accounts, and failing to report all customer complaints to FINRA and state securities regulators.
While the company neither admitted nor denied the findings, it agreed to pay up to $10.2 million in penalties and will continue to implement recommendations to address the alleged misconduct. DFPI noted in its announcement that it “found no evidence of willful or fraudulent conduct” by the company, and said the company fully cooperated with the investigation.
On March 31, the SEC announced awards totaling more than $12 million to two whistleblowers whose information and assistance led to a successful SEC enforcement action. According to the redacted order, the first whistleblower prompted the opening of the investigation and provided information on violations that would otherwise have been difficult to detect, including by identifying key witnesses and helping enforcement staff understand complex fact patterns and issues concerning the matters under investigation. This information was also used to create an investigative plan and craft initial document requests. Citing the first whistleblower’s persistent efforts to remedy the issues, and the fact that the information was received several years before the second whistleblower’s information, the SEC said the first whistleblower will receive more than $9 million. The second whistleblower will receive $3 million for submitting important information “as a percipient witness” during the course of the investigation on topics that went beyond what the first whistleblower had been able to provide.
On March 29, the SEC filed a complaint in the U.S. District Court for the Northern District of Illinois against a cryptocurrency trading platform and its executives for allegedly failing to register as a national securities exchange, broker, and clearing agency. The SEC also claimed the founder of the platform used it to raise $8 million in an unregistered token offering and misappropriated at least $900,000 for personal use. Additionally, the SEC charged certain defendant “market makers” operating on the platform as unregistered dealers. The complaint flagged certain defendants as being responsible for maintaining and providing the platform that facilitated the crypto assets that were offered and sold as securities and cited other defendants for operating as an unregistered exchange, broker, and clearing agency or as unregistered dealers.
According to the SEC’s announcement, some of the defendants—without admitting or denying the allegations—“have agreed to perform certain undertakings, including ceasing all activities as an unregistered exchange, clearing agency, broker, and dealer; shutting down the [platform]; providing an accounting of assets and funds for the benefit of customers; transferring all customer assets and funds to each respective customer; and destroying any and all [tokens] in [one of the defendant company’s] possession.” These defendants have agreed to permanent injunctions prohibiting them from engaging in future securities law violations and will pay civil penalties collectively totaling $165,800. Two of these defendants have also agreed to pay a combined amount of $62,779 in disgorgement and prejudgment interest. The SEC said it is continuing to litigate its charges against other defendants for securities fraud and for offering unregistered tokens.
On March 22, the SEC proposed amendments intended to “modernize” filing procedures through the use of electronic filings on EDGAR using structured data as appropriate. (See also SEC fact sheet here.) Currently, registrants must submit many forms required by the Securities Exchange Act, as well as other materials and submissions, in paper form. The proposed rule would require covered self-regulatory organizations (SROs) to submit these filings electronically, and would apply to national securities exchanges, national securities associations, clearing agencies, broker-dealers, security-based swap dealers, and major security-based swap participants. The proposed rule also would require SROs to make certain submissions in a structured, machine-readable data language, and would amend certain provisions regarding the Financial and Operational Combined Uniform Single Report to harmonize it with other rules, make technical corrections, and provide clarifications. Additionally, the announcement noted that the proposed rule would require, in certain circumstances, withdrawal of notices “filed in connection with an exception to counting certain dealing transactions toward determining whether a person is a security-based swap dealer.” Comments on the proposed rule will be accepted 30 days after publication in the Federal Register or until May 22, whichever is later.
On March 15, a divided SEC issued several proposed amendments to the agency’s cybersecurity-related rules.
The first is a proposed rule that would implement cybersecurity requirements for participants in the securities market, including broker-dealers, clearing agencies, and major security-based swap participants, among others. (See also SEC press release and fact sheet.) Among other things, the proposed rule would require all market entities to establish, maintain, and enforce written policies and procedures that are reasonably designed to address cybersecurity risks. Market participants would also be required to review the design and effectiveness of their cybersecurity policies and procedures at least once a year, and immediately provide the SEC written electronic notice of a significant cybersecurity incident should the participant have a reasonable basis to conclude that the incident had occurred or is occurring. Certain market entities would also be required to make public disclosures addressing cybersecurity risks and significant cybersecurity incidents to improve transparency. The SEC explained that the “interconnectedness of [m]arket [e]ntities increases the risk that a significant cybersecurity incident can simultaneously impact multiple [m]arket [e]tities causing systemic harm to the U.S. securities markets.”
The second proposed rule would amend Regulation S-P to enhance the protection of customer information and provide a federal minimum standard for data breach notifications. Regulation S-P requires broker-dealers, investment companies, and registered investment advisers to implement written policies and procedures for safeguarding customer records and information. The regulation also imposes requirements for proper disposal of consumer report information, implements privacy notice and opt-out provisions, and requires covered institutions to tell customers how their financial information is used. (See also SEC press release and fact sheet.) Under the proposed rule, covered institutions would be required to adopt an incident response program to address unauthorized access or use of customer information. Covered institutions would also be required to notify customers affected by certain types of data breaches that may expose them to identity theft or other harm by providing “notice as soon as soon as practicable, but not later than 30 days after the covered institution becomes aware that an incident involving unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.” The proposed rule would also “extend the protections of the safeguards and disposal rules to both nonpublic personal information that a covered institution collects about its own customers and to nonpublic personal information that a covered institution receives about customers of other financial institutions.” Modifications to provisions related to registered transfer agents are also proposed.
Comments on both proposed rules are due 60 days after publication in the Federal Register.
Additionally, the SEC announced it has reopened the comment period on proposed cybersecurity risk management rules and amendments for registered investment advisers and funds. Under the proposed rules, advisers and funds would be required to adopt and implement written policies and procedures reasonably designed to address cybersecurity risks that could harm advisory clients and fund investors. The proposed rules also laid out additional requirements relating to the disclosure of cybersecurity risks and significant cybersecurity incidents as well as filing and recordkeeping. (Covered by InfoBytes here.) The SEC reopened the comment period for an additional 60 days.
In voting against the proposed rules, Commission Hester M. Pierce questioned, among other things, whether the amendments would create overlapping requirements for financial firms subject to state data breach laws that have customer notification provisions, some of which conflict with the SEC’s proposals. Commissioner Mark T. Uyeda also raised concerns as to how the three proposals interact with each other. He cautioned that the “lack of an integrated regulatory structure may even weaken cybersecurity protection by diverting attention to satisfy multiple overlapping regulatory regimes rather than focusing on the real threat of cyber intrusions and other malfeasance.”